The expansion of new technologies and the opening organizations barriers to public networks such as the Internet,offer GONVARRI STEEL INDUSTRIES and GESTAMP RENEWABLES, hereinafter the Group, alternative channels tocommunicate with their customers and provide employees with new tools, and this way, increasing the efficiency oftheir business processes.

However, these new opportunities have also increased the level of risk linked to the exposure of the Group’sinformation and communications systems.

The Group considers information as one of its main assets. In this context, it is necessary to establish a frameworkthat defines the guidelines for action, by using a preventive, informative and reactive approach in order to ensurethat the integrity, availability and confidentiality of the Group’s information, as well as that of its customers, cannotbe endangered.

The Group’s Information Security Policy sets up a framework designed to facilitate the definition, management,administration and establishment of the mechanisms and security procedures required to address the implementationof the appropriate security level that corresponds to the Group’s information assets, depending on the level of riskassociated with them.

Therefore, this Information Security Policy sets forth the following principles and criteria:

  1. The security of the information that the Group collects, processes, stores and transfers isessential to guarantee its heritage.
  2. The Group assumes as a premise of its Information Security Policy the adaptation bothinformation systems and the physical storage devices, standards, regulations, regulatorybodies and/or regulations of the application sorted by its activities in each geographical area.
  3. The Group’s priority is to provide employees, customers and visitors with satisfactory securitymeasures in the use of the Group’s information systems.
  4. The security of the information, as well as the security of the systems and the devices usedto collect, process, store and transfer the aforesaid information, is essential to ensure thecontinued operation of the business. Security Plans, Policies, Procedures and Mechanisms willbe established to ensure confidentiality, integrity and availability of this information.
  5. Security of the information shall be considered as part of usual operations. It shall be presentand applied from the initial design of the processes and information systems.
  6. It is essential to have updated inventories of the services and the information assets on whichthey are based, as well as inventories of their managers or owners and their risks linked to them.This action enables the continuous analysis of such risks and allows new security measuresand mechanisms to be designed and implemented by adequately managing changes.
  7. The value of the information will be known, and thus, classification methods will be specifiedaccording to the level of importance for the organization, developing the processes linked toits treatment, storage, transmission, declassification, access, reproduction and destruction inaccordance with its classification level.
  8. The Group can limit and/or monitor the access to its information, both as regards people andphysical or logical objects, so it will establish pertinent control systems.
  9. The effectiveness of the security of the organization shall be based on compliance with thecorporate standards, the quality of the security systems and the good service provided by thecompanies contracted, establishing the necessary monitoring and control mechanisms for theproper performance of the guidelines from the Information Security Plan.
  10. Security is an activity in which of all employees and collaborators of the Group are involved,and must develop their activities ensuring a proper assets protection of the Group, by knowing,assuming and applying the security rules and procedures.
  11. The implementation of the security measures contained in the Information Security Plan willbe gradually implemented, in accordance with the instructions that come from the InformationSecurity Committee of the Group.